Cube.COS - Release Note
#
AbstractBigstack CUBE.COS 2.5 is a major release for CUBE.COS cloud operating system. This release provides the following updates to Bigstack CUBE.COS version 2.5:
- Based on CentOS Stream 9
- Kernel version : 5.14.0-435
- Nova version : 25.3.0 (Yoga)
- Ovn version : 23.03
- Ceph version : 17.2.6 (Quincy)
- Rancher version : v2.7.9
- Nvidia GPU driver to 535.104
#
New functionality- Cloud Computing
- Added support of VFIO and GPU Passthrough
- Centralized GPU management across GPU nodes
- Added support of GPU / PCI devices auto orchestration
- Added CLI option to reset instance status for recovery
- Storage
- Volume Mirror
- Enhanced mirror management in a single view
- Added support of journal or snapshot for each mirror rule
- Added support of instance creation from target volume in backup site
- Enhanced virtual machine power state aligned with mirror promotion/demotion process
- Object Storage - CLI options to manage bucket quota and IP filters
- Volume Mirror
- Networking and Network Security
- Added CLI option to fix errors on loadbalancer-as-a-service
- Operation and Management
- New CLI options
- to update license by node
- to update license from ISO image
- to check and repair filesystem on instances
- to detect conflicts with IP addresses in the environment
- Benchmark tools for
- Hard drives
- Storage pools
- Added alert management for threshold adjustment
- Global settings for all alerts
- Individual setting for specific service
- Added support of
- hard drive model and serial number detection
- disk failure prediction
- cluster check on disk failure (new error code)
- New CLI options
#
Changed features- There is no changed feature in this release.
#
Fixed defects- Bug Fixes since Cube 2.3.0, including fixpacks and hotfixes.
#
Fixpacks#
Enhancements and fixes in Cube 2.4- Patched Security Updates
- Information disclosure flaw found in ansible-core (CVE-2024-0690)
- A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record (CVE-2023-38469)
- A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function (CVE-2023-38471)
- A reachable assertion exists in the avahi_rdata_parse() function (CVE-2023-38472)
- A reachable assertion exists in the avahi_escape_label() function (CVE-2023-38470)
- A reachable assertion exists in the avahi_alternative_host_name() function (CVE-2023-38473)
- This flaw allows an unprivileged user to make a dbus call, causing the avahi daemon to crash (CVE-2023-1981)
- BIND9 bad allocation of resources that can affect the available memory of the system (CVE-2023-2828)
- Prevent possible endless loop when refreshing stale data (CVE-2023-2911)
- BIND9 limit the amount of recursion possible in the control channel (CVE-2023-3341)
- AutoTools does not set CARES_RANDOM_FILE during cross compilation (CVE-2023-31124)
- Buffer Underwrite in ares_inet_net_pton() (CVE-2023-31130)
- Insufficient randomness in the generation of DNS query IDs (CVE-2023-31147)
- 0-byte UDP payload Denial of Service (CVE-2023-32067)
- Exposure of resource to wrong sphere in runc (CVE-2024-21626)
- Improper Preservation of Permissions in runc (CVE-2023-25809)
- Use of Incorrectly-Resolved Name or Reference in runc (CVE-2023-27561)
- Improper Link Resolution Before File Access ('Link Following') in runc (CVE-2023-28642)
- Allocation of Resources Without Limits or Throttling in containerd (CVE-2023-25153)
- CVE-2023-25173
- Information leak through Cups-Get-Document operation (CVE-2023-32360)
- Use-after-free in scheduler/client.c (CVE-2023-34241)
- Heap buffer overflow may lead to DoS (CVE-2023-32324)
- Return error if the hostname is too long for remote resolve (CVE-2023-38545)
- Cookie injection with none file (CVE-2023-38546)
- Lowercase the domain names before PSL checks (CVE-2023-46218)
- Unify the upload/method handling (CVE-2023-28322)
- Hostname wildcard checking (CVE-2023-28321)
- FTP too eager connection reuse (CVE-2023-27535)
- SSH connection is too eager to reuse (CVE-2023-27538)
- GSS delegation too eager connection re-use (CVE-2023-27536)
- SFTP path resolving discrepancy (CVE-2023-27534)
- TELNET option IAC injection (CVE-2023-27533)
- HTTP multi-header compression denial of service (CVE-2023-23916)
- D-Bus unprivileged user to crash dbus-daemon issue (CVE-2023-34969)
- Limited offered EDNS0 size 1232 (CVE-2023-28450)
- Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message (CVE-2023-45229)
- Buffer overflow in the DHCPv6 client via a long Server ID option (CVE-2023-45230)
- Out of Bounds read when handling an ND Redirect message with truncated options (CVE-2023-45231)
- Infinite loop when parsing unknown options in the Destination Options header (CVE-2023-45232)
- Infinite loop when parsing a PadN option in the Destination Options header (CVE-2023-45233)
- Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message (CVE-2023-45234)
- Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message (CVE-2023-45235)
- Openssl: X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
- Openssl: use-after-free following BIO_new_NDEF (CVE-2023-0215)
- Sensitive information disclosure due to improper HTTP body handling in urllib3 (CVE-2023-45803)
- PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack (CVE-2023-52323)
- Possible arbitrary HTML attribute injection leading to Cross-Site Scripting (XSS) in Jinja (CVE-2024-22195)
- Possible information leakage due to HTTP redirects when custom cookie headers are set in urllib3 (CVE-2023-43804)
- Removing insecure root certificate authority (CVE-2023-37920)
- The httpd-2.4.62-1.el9.x86_64 package now includes critical security enhancements, specifically addressing the recently identified vulnerability (CVE-2023-43622)
#
OpenStack Services#
Web Frontend- Horizon (Dashboard)
#
Share Services- Keystone (Identity)
- Glance (Image)
- Barbican (Key Store)
#
Compute- Nova (Virtual Machine)
- Ironic (Bare-metal)
#
Accelerator- Cyborg (GPU, FPGA, ASIC, NP, SoCs, NVMe/NOF SSDs, ODP, DPDK/SPDK and so on)
#
Networking- Neutron (SDN/NFV, VPN as a Service)
- Octavia (Load Balance as a Service)
- Designate (DNS as a Service)
#
Storage- Cinder (Block Storage)
- Manila (File Storage)
- Swift (Object Storage)
#
Orchestration- Heat (Orchestration)
- Senlin (Auto-scaling)
#
Monitoring- Monasca (Telemetry)
#
High Availability- Masakari (Instance HA)
#
Resource Optimaztion- Watcher (Infrastructure Optimization)
#
Cube Infrascope- ELK
Elasticsearch (v7.10)Opensearch (v2.10)Kibana (v7.10)Opensearch-dashboards (v2.10)- Logstash (v8.9.0)
- Filebeat (v8.10.2)
- Auditbeat (v8.10.2)
- TIGK
- Telegraf (v1.17)
- Influxdb (v1.8.10)
Grafana (v7.5.9)Grafana-enterprise (v10.1.5)- Kapacitor (v1.5.7)
- Data Pipeline
- Zookeeper (v2.13)
- Monasca (v2.5.0)
- Kafka (v2.7)
#
Identity- Keycloak (v17.0.1)
#
AnnouncementsThe Bigstack CUBE.COS cloud operating system version 2.4 is generally available in May, 2024.
#
CompatibilitiesThe following Cube related products are currently supported by Cube 2.4 and can only be run against Cube 2.4 or above.
- CUBE.CMP 1.7
- Prerequisites: Cube 2.4 with AppFramework deployed
- CUBE.VDI Driver and integration
- Prerequisites: Cube 2.4 and Cube VDI essentials
Contact Bigstack: https://www.bigstack.co/contact/ for details of Cube products.
#
Installation and ConfigurationFor CUBE.COS installation, see the following topics in Bigstack documentation.
To get started with CUBE.COS, see Quick Start in Bigstack documentation.
#
Known issuesAfter enable OTP login, Keycloak page show nothing.
#
Related informationBigstack Co., Ltd. is a software and consulting company, focused on open source, software-defined data center, cloud platforms, and security.
Contact Bigstack: https://www.bigstack.co/contact/